idnits 2.17.1 draft-ietf-tcpm-converters-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([This-RFC]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 01, 2019) is 1729 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'This-RFC' is mentioned on line 1555, but not defined ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 6824 (Obsoleted by RFC 8684) == Outdated reference: A later version (-03) exists of draft-boucadair-tcpm-dhc-converter-02 == Outdated reference: A later version (-11) exists of draft-olteanu-intarea-socks-6-07 -- Obsolete informational reference (is this intentional?): RFC 1323 (Obsoleted by RFC 7323) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TCPM Working Group O. Bonaventure, Ed. 3 Internet-Draft Tessares 4 Intended status: Experimental M. Boucadair, Ed. 5 Expires: February 2, 2020 Orange 6 S. Gundavelli 7 Cisco 8 S. Seo 9 Korea Telecom 10 B. Hesmans 11 Tessares 12 August 01, 2019 14 0-RTT TCP Convert Protocol 15 draft-ietf-tcpm-converters-10 17 Abstract 19 This document specifies an application proxy, called Transport 20 Converter, to assist the deployment of TCP extensions such as 21 Multipath TCP. This proxy is designed to avoid inducing extra delay 22 when involved in a network-assisted connection (that is, 0-RTT). 24 This specification assumes an explicit model, where the proxy is 25 explicitly configured on hosts. 27 Editorial Note (To be removed by RFC Editor) 29 Please update these statements with the RFC number to be assigned to 30 this document: [This-RFC] 32 Please update TBA statements with the port number to be assigned to 33 the 0-RTT TCP Convert Protocol. 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on February 2, 2020. 51 Copyright Notice 53 Copyright (c) 2019 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (https://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 69 1.1. The Problem . . . . . . . . . . . . . . . . . . . . . . . 3 70 1.2. Network-Assisted Connections: The Rationale . . . . . . . 4 71 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 6 72 3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 6 73 3.1. Functional Elements . . . . . . . . . . . . . . . . . . . 6 74 3.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 8 75 3.3. Sample Examples of Outgoing Converter-Assisted Multipath 76 TCP Connections . . . . . . . . . . . . . . . . . . . . . 12 77 3.4. Sample Example of Incoming Converter-Assisted Multipath 78 TCP Connection . . . . . . . . . . . . . . . . . . . . . 13 79 4. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 15 80 4.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 15 81 4.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 16 82 4.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 16 83 4.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 16 84 4.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 17 85 4.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 18 86 4.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 19 87 4.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 21 88 4.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 21 89 4.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 22 90 5. Compatibility of Specific TCP Options with the Conversion 91 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 92 5.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 25 93 5.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 26 94 5.3. Selective Acknowledgements . . . . . . . . . . . . . . . 26 95 5.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 27 96 5.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 27 97 5.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 27 98 5.7. TCP User Timeout . . . . . . . . . . . . . . . . . . . . 28 99 5.8. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 28 100 5.9. TCP Experimental Options . . . . . . . . . . . . . . . . 28 101 6. Interactions with Middleboxes . . . . . . . . . . . . . . . . 28 102 7. Security Considerations . . . . . . . . . . . . . . . . . . . 29 103 7.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 29 104 7.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 30 105 7.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 31 106 7.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 31 107 7.5. Multipath TCP-specific Considerations . . . . . . . . . . 32 108 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 109 8.1. Convert Service Port Number . . . . . . . . . . . . . . . 32 110 8.2. The Convert Protocol (Convert) Parameters . . . . . . . . 33 111 8.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 33 112 8.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 33 113 8.2.3. Convert Error Messages . . . . . . . . . . . . . . . 34 114 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 115 9.1. Normative References . . . . . . . . . . . . . . . . . . 35 116 9.2. Informative References . . . . . . . . . . . . . . . . . 37 117 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 40 118 Appendix B. Example Socket API Changes to Support the 0-RTT 119 Convert Protocol . . . . . . . . . . . . . . . . . . 42 120 B.1. Active Open (Client Side) . . . . . . . . . . . . . . . . 42 121 B.2. Passive Open (Converter Side) . . . . . . . . . . . . . . 42 122 Appendix C. Some Design Considerations . . . . . . . . . . . . . 43 123 Appendix D. Differences with SOCKSv5 . . . . . . . . . . . . . . 44 124 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 46 125 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 47 126 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 128 1. Introduction 130 1.1. The Problem 132 Transport protocols like TCP evolve regularly [RFC7414]. TCP has 133 been improved in different ways. Some improvements such as changing 134 the initial window size [RFC6928] or modifying the congestion control 135 scheme can be applied independently on clients and servers. Other 136 improvements such as Selective Acknowledgements [RFC2018] or large 137 windows [RFC7323] require a new TCP option or to change the semantics 138 of some fields in the TCP header. These modifications must be 139 deployed on both clients and servers to be actually used on the 140 Internet. Experience with the latter TCP extensions reveals that 141 their deployment can require many years. Fukuda reports in 142 [Fukuda2011] results of a decade of measurements showing the 143 deployment of Selective Acknowledgements, Window Scale and TCP 144 Timestamps. [ANRW17] describes measurements showing that TCP Fast 145 Open (TFO) [RFC7413] is still not widely deployed. 147 There are some situations where the transport stack used on clients 148 (or servers) can be upgraded at a faster pace than the transport 149 stack running on servers (or clients). In those situations, clients 150 would typically want to benefit from the features of an improved 151 transport protocol even if the servers have not yet been upgraded and 152 conversely. Some assistance from the network to make use of these 153 features is valuable. For example, Performance Enhancing Proxies 154 [RFC3135], and other service functions have been deployed as 155 solutions to improve TCP performance over links with specific 156 characteristics. 158 Recent examples of TCP extensions include Multipath TCP [RFC6824] or 159 TCPINC [RFC8548]. Those extensions provide features that are 160 interesting for clients such as wireless devices. With Multipath 161 TCP, those devices could seamlessly use WLAN (Wireless Local Area 162 Network) and cellular networks, for bonding purposes, faster hand- 163 overs, or better resiliency. Unfortunately, deploying those 164 extensions on both a wide range of clients and servers remains 165 difficult. 167 More recently, 5G bonding experimentation has been conducted into 168 global range of the incumbent 4G (LTE) connectivity using newly 169 devised clients and a Multipath TCP proxy. Even if the 5G and the 4G 170 bonding relying upon Multipath TCP increases the bandwidth, it is as 171 well crucial to minimize latency for all the way between endhosts 172 regardless of whether intermediate nodes are inside or outside of the 173 mobile core. In order to handle URLLC (Ultra Reliable Low Latency 174 Communication) for the next generation mobile network, Multipath TCP 175 and its proxy mechanism such as the one used to provide Access 176 Traffic Steering, Switching, and Splitting (ATSSS) must be optimized 177 to reduce latency [TS23501]. 179 1.2. Network-Assisted Connections: The Rationale 181 This document specifies an application proxy, called Transport 182 Converter. A Transport Converter is a function that is installed by 183 a network operator to aid the deployment of TCP extensions and to 184 provide the benefits of such extensions to clients. A Transport 185 Converter may provide conversion service for one or more TCP 186 extensions. Which TCP extensions are eligible to the conversion 187 service is deployment-specific. The conversion service is provided 188 by means of the 0-RTT TCP Convert Protocol (Convert), that is an 189 application-layer protocol which uses TCP port number TBA 190 (Section 8). 192 The Convert Protocol provides 0-RTT (Zero Round-Trip Time) conversion 193 service since no extra delay is induced by the protocol compared to 194 connections that are not proxied. Particularly, the Convert Protocol 195 does not require extra signaling setup delays before making use of 196 the conversion service. The Convert Protocol does not require any 197 encapsulation (no tunnels, whatsoever). 199 The Transport Converter adheres to the main principles drawn in 200 [RFC1919]. In particular, a Transport Converter achieves the 201 following: 203 o Listen for client sessions; 205 o Receive from a client the address of the final target server; 207 o Setup a session to the final server; 209 o Relay control messages and data between the client and the server; 211 o Perform access controls according to local policies. 213 The main advantage of network-assisted conversion services is that 214 they enable new TCP extensions to be used on a subset of the path 215 between endpoints, which encourages the deployment of these 216 extensions. Furthermore, the Transport Converter allows the client 217 and the server to directly negotiate TCP extensions for the sake of 218 native support along the full path. 220 The Convert Protocol is a generic mechanism to provide 0-RTT 221 conversion service. As a sample applicability use case, this 222 document specifies how the Convert Protocol applies for Multipath 223 TCP. It is out of scope of this document to provide a comprehensive 224 list of all potential conversion services. Applicability documents 225 may be defined in the future. 227 This document does not assume that all the traffic is eligible to the 228 network-assisted conversion service. Only a subset of the traffic 229 will be forwarded to a Transport Converter according to a set of 230 policies. These policies, and how they are communicated to 231 endpoints, are out of scope. Furthermore, it is possible to bypass 232 the Transport Converter to connect directly to the servers that 233 already support the required TCP extension(s). 235 This document assumes an explicit model in which a client is 236 configured with one or a list of Transport Converters (statically or 237 through protocols such as [I-D.boucadair-tcpm-dhc-converter]). 238 Configuration means are outside the scope of this document. 240 This document is organized as follows. First, Section 3 provides a 241 brief explanation of the operation of Transport Converters. Then, 242 Section 4 describes the Convert Protocol. Section 5 discusses how 243 Transport Converters can be used to support different TCP extensions. 244 Section 6 then discusses the interactions with middleboxes, while 245 Section 7 focuses on the security considerations. 247 Appendix B describes how a TCP stack would need to support the 248 protocol described in this document. Appendix C records some 249 considerations that impacted the design of the protocol. Appendix D 250 provides a comparison with SOCKS proxies that are already used to 251 deploy Multipath TCP in some cellular networks (Section 2.2 of 252 [RFC8041]). 254 2. Conventions and Definitions 256 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 257 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 258 "OPTIONAL" in this document are to be interpreted as described in BCP 259 14 [RFC2119][RFC8174] when, and only when, they appear in all 260 capitals, as shown here. 262 The information shown between brackets in the figures refers to 263 Convert Protocol messages described in Section 4. 265 Only the exchange of control messages is depicted in the figures. 267 3. Architecture 269 3.1. Functional Elements 271 The Convert Protocol considers three functional elements: 273 o Clients; 275 o Transport Converters; 277 o Servers. 279 A Transport Converter is a network function that relays all data 280 exchanged over one upstream connection to one downstream connection 281 and vice versa (Figure 1). The Transport Converter, thus, maintains 282 state that associates one upstream connection to a corresponding 283 downstream connection. 285 A connection can be initiated from both sides of the Transport 286 Converter (Internet-facing interface, customer-facing interface). 288 | 289 : 290 | 291 +------------+ 292 Client <- upstream ->| Transport |<- downstream ->Server 293 | Converter | 294 +------------+ 295 | 296 customer-facing interface : Internet-facing interface 297 | 299 Figure 1: A Transport Converter Relays Data between Pairs of TCP 300 Connections 302 "Client" refers to a software instance embedded on a host that can 303 reach a Transport Converter via its customer-facing interface. The 304 "Client" can initiate connections via a Transport Converter (referred 305 to as outgoing connections (Section 3.3)). Also, the "Client" can 306 accept incoming connections via a Transport Converter (referred to as 307 incoming connections (Section 3.4)). 309 Transport Converters can be operated by network operators or third 310 parties. Nevertheless, this document focuses on the single 311 administrative deployment case where the entity offering the 312 connectivity service to a client is also the entity which owns and 313 operates the Transport Converter. 315 A Transport Converter can be embedded in a standalone device or be 316 activated as a service on a router. How such function is enabled is 317 deployment-specific. A sample deployment is depicted in Figure 2. 319 +-+ +-+ +-+ 320 Client - |R| -- |R| -- |R| - - - Server 321 +-+ +-+ +-+ 322 | 323 +-+ 324 |R| 325 +-+ 326 | 327 +---------+ 328 |Transport| 329 |Converter| 330 +---------+ 331 R: Router 333 Figure 2: A Transport Converter Can Be Installed Anywhere in the 334 Network 336 The architecture assumes that new software will be installed on the 337 Client hosts to interact with one or more Transport Converters. 338 Furthermore, the architecture allows for making use of new TCP 339 extensions even if those are not supported by a given server. 341 A Client is configured, through means that are outside the scope of 342 this document, with the names and/or the addresses of one or more 343 Transport Converters and the TCP extensions that they support. The 344 procedure for selecting a Transport Converter among a list of 345 configured Transport Converters is outside the scope of this 346 document. 348 One of the benefits of this design is that different transport 349 protocol extensions can be used on the upstream and the downstream 350 connections. This encourages the deployment of new TCP extensions 351 until they are widely supported by servers, in particular. 353 The architecture does not mandate anything on the Server side. 355 Similar to address sharing mechanisms, the architecture does not 356 interfere with end-to-end TLS connections [RFC8446] between the 357 Client and the Server (Figure 3). In other words, end-to-end TLS is 358 supported in the presence of a Converter. 360 Client Transport Server 361 | Converter | 362 | | | 363 /==========================================\ 364 | End-to-end TLS | 365 \==========================================/ 367 * TLS messages exchanged between the Client 368 and the Server are not shown. 370 Figure 3: End-to-end TLS via a Transport Converter 372 It is out of scope of this document to elaborate on specific 373 considerations related to the use of TLS in the Client-Converter 374 connection leg to exchange Convert messages (in addition to the end- 375 to-end TLS connection). 377 3.2. Theory of Operation 379 At a high level, the objective of the Transport Converter is to allow 380 the use a specific extension, e.g., Multipath TCP, on a subset of the 381 path even if the peer does not support this extension. This is 382 illustrated in Figure 4 where the Client initiates a Multipath TCP 383 connection with the Transport Converter (packets belonging to the 384 Multipath TCP connection are shown with "===") while the Transport 385 Converter uses a regular TCP connection with the Server. 387 Client Transport Server 388 | Converter | 389 | | | 390 |==================>|--------------------->| 391 | | | 392 |<==================|<---------------------| 393 | | | 394 Multipath TCP packets Regular TCP packets 396 Figure 4: An Example of 0-RTT Network-Assisted Outgoing MPTCP 397 Connection 399 The packets belonging to the pair of connections between the Client 400 and Server passing through a Transport Converter may follow a 401 different path than the packets directly exchanged between the Client 402 and the Server. Deployments should minimize the possible additional 403 delay by carefully selecting the location of the Transport Converter 404 used to reach a given destination. 406 When establishing a connection, the Client can, depending on local 407 policies, either contact the Server directly (e.g., by sending a TCP 408 SYN towards the Server) or create the connection via a Transport 409 Converter. In the latter case (that is, the conversion service is 410 used), the Client initiates a connection towards the Transport 411 Converter and indicates the IP address and port number of the Server 412 within the connection establishment packet. Doing so enables the 413 Transport Converter to immediately initiate a connection towards that 414 Server, without experiencing an extra delay. The Transport Converter 415 waits until the receipt of the confirmation that the Server agrees to 416 establish the connection before confirming it to the Client. 418 The Client places the destination address and port number of the 419 Server in the payload of the SYN sent to the Transport Converter to 420 minimize connection establishment delays. The Transport Converter 421 maintains two connections that are combined together: 423 o the upstream connection is the one between the Client and the 424 Transport Converter. 426 o the downstream connection is between the Transport Converter and 427 the Server. 429 Any user data received by the Transport Converter over the upstream 430 (or downstream) connection is relayed over the downstream (or 431 upstream) connection. In particular, if the initial SYN message 432 contains data in its payload (e.g., [RFC7413]), that data MUST be 433 placed right after the Convert TLVs when generating the relayed SYN. 435 The Converter associates a lifetime with state entries used to bind 436 an upstream connection with its downstream connection. 438 A Transport Converter MAY operate in address preservation or address 439 sharing modes as discussed in Section 5.4 of 440 [I-D.nam-mptcp-deployment-considerations]. Which behavior to use by 441 a Transport Converter is deployment-specific. If address sharing 442 mode is enabled, the Transport Converter MUST adhere to REQ-2 of 443 [RFC6888] which implies a default "IP address pooling" behavior of 444 "Paired" (as defined in Section 4.1 of [RFC4787]) must be supported. 445 This behavior is meant to avoid breaking applications that depend on 446 the source address remaining constant. 448 Figure 5 illustrates the establishment of an outgoing TCP connection 449 by a Client through a Transport Converter. 451 Transport 452 Client Converter Server 453 | | | 454 |SYN [->Server:port]| SYN | 455 |------------------>|--------------------->| 456 |<------------------|<---------------------| 457 | SYN+ACK [ ] | SYN+ACK | 458 | ... | ... | 460 Figure 5: Establishment of an Outgoing TCP Connection Through a 461 Transport Converter 463 The Client sends a SYN destined to the Transport Converter. The 464 payload of this SYN contains the address and port number of the 465 Server. The Transport Converter does not reply immediately to this 466 SYN. It first tries to create a TCP connection towards the target 467 Server. If this upstream connection succeeds, the Transport 468 Converter confirms the establishment of the connection to the Client 469 by returning a SYN+ACK and the first bytes of the bytestream contain 470 information about the TCP options that were negotiated with the 471 Server. 473 The connection can also be established from the Internet towards a 474 Client via a Transport Converter (Figure 6). This is typically the 475 case when an application on the Client listens to a specific port 476 (the Client hosts an application server, typically). When the 477 Converter receives an incoming SYN from a remote host, it checks if 478 it can provide the conversion service for the destination IP address 479 and destination port number of that SYN. If the check is successful, 480 the Converter inserts the source IP address and source port number in 481 the SYN packet, rewrites the source IP address to one of its IP 482 addresses and, eventually (i.e., only when the Converter is 483 configured in an address sharing mode), the destination IP address 484 and port number in accordance with any information stored locally. 485 That SYN is then forwarded to the next hop. SYN+ACK and ACK will be 486 then exchanged between the Client, the Converter, and remote host to 487 confirm the establishment of the connection. 489 Transport Remote 490 Client Converter Host (RH) 491 | | | 492 |SYN [<-RH IP@:port]| SYN | 493 |<------------------|<---------------------| 494 |------------------>|--------------------->| 495 | SYN+ACK [ ] | SYN+ACK | 496 | ... | ... | 498 Figure 6: Establishment of an Incoming TCP Connection Through a 499 Transport Converter 501 Standard TCP ([RFC0793], Section 3.4) allows a SYN packet to carry 502 data inside its payload but forbids the receiver from delivering it 503 to the application until completion of the three-way-handshake. To 504 enable applications to exchange data in a TCP handshake, this 505 specification follows an approach similar to TCP Fast Open [RFC7413] 506 and thus removes the constraint by allowing data in SYN packets to be 507 delivered to the Transport Converter application. 509 As discussed in [RFC7413], such change to TCP semantic raises two 510 issues. First, duplicate SYNs can cause problems for some 511 applications that rely on TCP. Second, TCP suffers from SYN flooding 512 attacks [RFC4987]. TFO solves these two problems for applications 513 that can tolerate replays by using the TCP Fast Open option that 514 includes a cookie. However, the utilization of this option consumes 515 space in the limited TCP header. Furthermore, there are situations, 516 as noted in Section 7.3 of [RFC7413] where it is possible to accept 517 the payload of SYN packets without creating additional security risks 518 such as a network where addresses cannot be spoofed and the Transport 519 Converter only serves a set of hosts that are identified by these 520 addresses. 522 For these reasons, this specification does not mandate the use of the 523 TCP Fast Open option when the Client sends a connection establishment 524 packet towards a Transport Converter. The Convert protocol includes 525 an optional Cookie TLV that provides similar protection as the TCP 526 Fast Open option without consuming space in the extended TCP header. 527 In particular, this design allows for the use of longer cookies. 529 If the downstream (or upstream) connection fails for some reason 530 (excessive retransmissions, reception of an RST segment, etc.), then 531 the Converter should force the teardown of the upstream (or 532 downstream) connection. 534 The same reasoning applies when the upstream connection ends. In 535 this case, the Converter should also terminate the downstream 536 connection by using FIN segments. If the downstream connection 537 terminates with the exchange of FIN segments, the Converter should 538 initiate a graceful termination of the upstream connection. 540 3.3. Sample Examples of Outgoing Converter-Assisted Multipath TCP 541 Connections 543 As an example, let us consider how the Convert protocol can help the 544 deployment of Multipath TCP. We assume that both the Client and the 545 Transport Converter support Multipath TCP, but consider two different 546 cases depending on whether the Server supports Multipath TCP or not. 548 As a reminder, a Multipath TCP connection is created by placing the 549 MP_CAPABLE (MPC) option in the SYN sent by the Client. 551 Figure 7 describes the operation of the Transport Converter if the 552 Server does not support Multipath TCP. 554 Transport 555 Client Converter Server 556 |SYN, | | 557 |MPC [->Server:port]| SYN, MPC | 558 |------------------>|--------------------->| 559 |<------------------|<---------------------| 560 | SYN+ACK,MPC [.] | SYN+ACK | 561 |------------------>|--------------------->| 562 | ACK, MPC | ACK | 563 | | | 564 | ... | ... | 566 Figure 7: Establishment of a Multipath TCP Connection Through a 567 Transport Converter towards a Server that Does Not Support Multipath 568 TCP 570 The Client tries to initiate a Multipath TCP connection by sending a 571 SYN with the MP_CAPABLE option (MPC in Figure 7). The SYN includes 572 the address and port number of the target Server, that are extracted 573 and used by the Transport Converter to initiate a Multipath TCP 574 connection towards this Server. Since the Server does not support 575 Multipath TCP, it replies with a SYN+ACK that does not contain the 576 MP_CAPABLE option. The Transport Converter notes that the connection 577 with the Server does not support Multipath TCP and returns the 578 extended TCP header received from the Server to the Client. 580 Note that, if the TCP connection fails for some reason, the Converter 581 tears down the Multipath TCP connection by transmitting a 582 MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with 583 the transmission of DATA_FINs, the Converter terminates the TCP 584 connection by using FIN segments. As a side note, given that with 585 Multipath TCP, RST only has the scope of the subflow and will only 586 close the concerned subflow but not affect the remaining subflows, 587 the Converter does not terminate the TCP connection upon receipt of 588 an RST over a Multipath subflow. 590 Figure 8 considers a Server that supports Multipath TCP. In this 591 case, it replies to the SYN sent by the Transport Converter with the 592 MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport 593 Converter confirms the establishment of the connection to the Client 594 and indicates to the Client that the Server supports Multipath TCP. 595 With this information, the Client has discovered that the Server 596 supports Multipath TCP natively. This will enable the Client to 597 bypass the Transport Converter for the subsequent Multipath TCP 598 connections that it will initiate towards this Server. 600 Transport 601 Client Converter Server 602 |SYN, | | 603 |MPC [->Server:port]| SYN, MPC | 604 |------------------>|--------------------->| 605 |<------------------|<---------------------| 606 |SYN+ACK, | SYN+ACK, MPC | 607 |MPC [MPC supported]| | 608 |------------------>|--------------------->| 609 | ACK, MPC | ACK, MPC | 610 | | | 611 | ... | ... | 613 Figure 8: Establishment of a Multipath TCP Connection Through a 614 Converter Towards an MPTCP-capable Server 616 3.4. Sample Example of Incoming Converter-Assisted Multipath TCP 617 Connection 619 An example of an incoming Converter-assisted Multipath TCP connection 620 is depicted in Figure 9. In order to support incoming connections 621 from remote hosts, the Client may use PCP [RFC6887] to instruct the 622 Transport Converter to create dynamic mappings. Those mappings will 623 be used by the Transport Converter to intercept an incoming TCP 624 connection destined to the Client and convert it into a Multipath TCP 625 connection. 627 Typically, the Client sends a PCP request to the Converter asking to 628 create an explicit TCP mapping for (internal IP address, internal 629 port number). The Converter accepts the request by creating a TCP 630 mapping (internal IP address, internal port number, external IP 631 address, external port number). The external IP address and external 632 port number will be then advertised using an out-of-band mechanism so 633 that remote hosts can initiate TCP connections to the Client via the 634 Converter. Note that the external and internal information may be 635 the same. 637 Then, when the Converter receives an incoming SYN, it checks its 638 mapping table to verify if there is an active mapping matching the 639 destination IP address and destination port of that SYN. If an entry 640 is found, the Converter inserts an MP_CAPABLE option and Connect TLV 641 in the SYN packet, rewrites the source IP address to one of its IP 642 addresses and, eventually, the destination IP address and port number 643 in accordance with the information stored in the mapping. SYN+ACK 644 and ACK will be then exchanged between the Client and the Converter 645 to confirm the establishment of the initial subflow. The Client can 646 add new subflows following normal Multipath TCP procedures. 648 Transport Remote 649 Client Converter Host 650 | | | 651 |<--------------------|<-------------------| 652 |SYN, | SYN | 653 |MPC[Remote Host:port]| | 654 |-------------------->|------------------->| 655 | SYN+ACK, MPC | SYN+ACK | 656 |<--------------------|<-------------------| 657 | ACK, MPC | ACK | 658 | | | 659 | ... | ... | 661 Figure 9: Establishment of an Incoming Multipath TCP Connection 662 through a Transport Converter 664 It is out of scope of this document to define specific Convert TLVs 665 to manage incoming connections. These TLVs can be defined in a 666 separate document. 668 4. The Convert Protocol (Convert) 670 This section defines the Convert protocol (Convert, for short) 671 messages that are exchanged between a Client and a Transport 672 Converter. 674 By default, the Transport Converter listens on TCP port number TBA 675 for Convert messages from Clients. 677 Clients send packets bound to connections eligible to the conversion 678 service to the provisioned Transport Converter using TBA as 679 destination port number. This applies for both control and data 680 messages. Additional information is supplied by Clients to the 681 Transport Converter by means of Convert messages as detailed in the 682 following sub-sections. 684 Convert messages may appear only in a SYN, SYN+ACK, or ACK. 686 Convert messages MUST be included as the first bytes of the 687 bytestream. All Convert messages start with a 32 bits long fixed 688 header (Section 4.1) followed by one or more Convert TLVs (Type, 689 Length, Value) (Section 4.2). 691 4.1. The Convert Fixed Header 693 The Convert Protocol uses a 32 bits long fixed header that is sent by 694 both the Client and the Transport Converter over each established 695 connection. This header indicates both the version of the protocol 696 used and the length of the Convert message. 698 The Client and the Transport Converter MUST send the fixed-sized 699 header, shown in Figure 10, as the first four bytes of the 700 bytestream. 702 1 2 3 703 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 704 +---------------+---------------+-------------------------------+ 705 | Version | Total Length | Unassigned | 706 +---------------+---------------+-------------------------------+ 708 Figure 10: The Fixed-Sized Header of the Convert Protocol 710 The Version is encoded as an 8 bits unsigned integer value. This 711 document specifies version 1. Version 0 is reserved by this document 712 and MUST NOT be used. 714 The Total Length is the number of 32 bits word, including the header, 715 of the bytestream that are consumed by the Convert messages. Since 716 Total Length is also an 8 bits unsigned integer, those messages 717 cannot consume more than 1020 bytes of data. This limits the number 718 of bytes that a Transport Converter needs to process. A Total Length 719 of zero is invalid and the connection MUST be reset upon reception of 720 a header with such total length. 722 The Unassigned field MUST be set to zero in this version of the 723 protocol. These bits are available for future use [RFC8126]. 725 Data added by the Convert protocol to the TCP bytestream is 726 unambiguously distinguished from payload data by the Total Length 727 field in the Convert messages. 729 4.2. Convert TLVs 731 4.2.1. Generic Convert TLV Format 733 The Convert protocol uses variable length messages that are encoded 734 using the generic TLV format depicted in Figure 11. 736 The length of all TLVs used by the Convert protocol is always a 737 multiple of four bytes. All TLVs are aligned on 32 bits boundaries. 738 All TLV fields are encoded using the network byte order. 740 1 2 3 741 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 742 +---------------+---------------+-------------------------------+ 743 | Type | Length | Value ... | 744 +---------------+---------------+-------------------------------+ 745 // ... (optional) Value // 746 +---------------------------------------------------------------+ 748 Figure 11: Convert Generic TLV Format 750 The Length field covers Type, Length, and Value fields. It is 751 expressed in units of 32 bits words. If necessary, Value MUST be 752 padded with zeroes so that the length of the TLV is a multiple of 32 753 bits. 755 A given TLV MUST only appear once on a connection. If two or more 756 instances of the same TLV are exchanged over a Convert connection, 757 the associated TCP connections MUST be closed. 759 4.2.2. Summary of Supported Convert TLVs 761 This document specifies the following Convert TLVs: 763 +------+-----+----------+------------------------------------------+ 764 | Type | Hex | Length | Description | 765 +------+-----+----------+------------------------------------------+ 766 | 1 | 0x1 | 1 | Info TLV | 767 | 10 | 0xA | Variable | Connect TLV | 768 | 20 | 0x14| Variable | Extended TCP Header TLV | 769 | 21 | 0x15| Variable | Supported TCP Extensions TLV | 770 | 22 | 0x16| Variable | Cookie TLV | 771 | 30 | 0x1E| Variable | Error TLV | 772 +------+-----+----------+------------------------------------------+ 774 Figure 12: The TLVs used by the Convert Protocol 776 Type 0x0 is a reserved valued. Implementations MUST discard messages 777 with such TLV. 779 The Client typically sends in the first connection it established 780 with a Transport Converter the Info TLV (Section 4.2.3) to learn its 781 capabilities. Assuming the Client is authorized to invoke the 782 Transport Converter, the latter replies with the Supported TCP 783 Extensions TLV (Section 4.2.4). 785 The Client can request the establishment of connections to servers by 786 using the Connect TLV (Section 4.2.5). If the connection can be 787 established with the final server, the Transport Converter replies 788 with the Extended TCP Header TLV (Section 4.2.6). If not, the 789 Transport Converter returns an Error TLV (Section 4.2.8) and then 790 closes the connection. 792 When an error is encountered an Error TLV with the appropriate error 793 code MUST be returned by the Transport Converter. 795 4.2.3. The Info TLV 797 The Info TLV (Figure 13) is an optional TLV which can be sent by a 798 Client to request the TCP extensions that are supported by a 799 Transport Converter. It is typically sent on the first connection 800 that a Client establishes with a Transport Converter to learn its 801 capabilities. Assuming a Client is entitled to invoke the Transport 802 Converter, the latter replies with the Supported TCP Extensions TLV 803 described in Section 4.2.4. 805 1 2 3 806 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 807 +---------------+---------------+-------------------------------+ 808 | Type=0x1 | Length | Zero | 809 +---------------+---------------+-------------------------------+ 811 Figure 13: The Info TLV 813 4.2.4. Supported TCP Extensions TLV 815 The Supported TCP Extensions TLV (Figure 14) is used by a Transport 816 Converter to announce the TCP options for which it provides a 817 conversion service. A Transport Converter SHOULD include in this 818 list the TCP options that it accepts from Clients; these options are 819 included by the Transport Converter in the SYN packets that it sends 820 to initiate connections. 822 Each supported TCP option is encoded with its TCP option Kind listed 823 in the "TCP Parameters" registry maintained by IANA. 825 1 2 3 826 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 827 +---------------+---------------+-------------------------------+ 828 | Type=0x15 | Length | Unassigned | 829 +---------------+---------------+-------------------------------+ 830 | Kind #1 | Kind #2 | ... | 831 +---------------+---------------+-------------------------------+ 832 / ... / 833 / / 834 +---------------------------------------------------------------+ 836 Figure 14: The Supported TCP Extensions TLV 838 TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by 839 all TCP implementations and thus MUST NOT appear in this list. 841 The list of Supported TCP Extensions is padded with 0 to end on a 32 842 bits boundary. 844 For example, if the Transport Converter supports Multipath TCP, 845 Kind=30 will be present in the Supported TCP Extensions TLV that it 846 returns in response to Info TLV. 848 4.2.5. Connect TLV 850 The Connect TLV (Figure 15) is used to request the establishment of a 851 connection via a Transport Converter. This connection can be from or 852 to a Client. 854 The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain 855 the destination port number and IP address of the Server, for 856 outgoing connections. For incoming connections destined to a Client 857 serviced via a Transport Converter, these fields convey the source 858 port number and IP address. 860 The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 861 addresses MUST be encoded using the IPv4-Mapped IPv6 Address format 862 defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT 863 include multicast, broadcast, and host loopback addresses [RFC6890]. 864 Connect TLVs witch such messages MUST be discarded by the Transport 865 Converter. 867 We distinguish two types of Connect TLV based on their length: (1) 868 the base Connect TLV has a length of 20 bytes and contains a remote 869 address and a remote port, (2) the extended Connect TLV spans more 870 than 20 bytes and also includes the optional 'TCP Options' field. 871 This field is used to specify how specific TCP options should be 872 advertised by the Transport Converter to the server. 874 1 2 3 875 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 876 +---------------+---------------+-------------------------------+ 877 | Type=0xA | Length | Remote Peer Port | 878 +---------------+---------------+-------------------------------+ 879 | | 880 | Remote Peer IP Address (128 bits) | 881 | | 882 | | 883 +---------------------------------------------------------------+ 884 / TCP Options (Variable) / 885 / ... / 886 +---------------------------------------------------------------+ 888 Figure 15: The Connect TLV 890 The 'TCP Options' field is a variable length field that carries a 891 list of TCP option fields (Figure 16). Each TCP option field is 892 encoded as a block of 2+n bytes where the first byte is the TCP 893 option Kind and the second byte is the length of the TCP option as 894 specified in [RFC0793]. The minimum value for the TCP option Length 895 is 2. The TCP options that do not include a length subfield, i.e., 896 option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be 897 placed inside the TCP options field of the Connect TLV. The optional 898 Value field contains the variable-length part of the TCP option. A 899 length of two indicates the absence of the Value field. The TCP 900 options field always ends on a 32 bits boundary after being padded 901 with zeros. 903 1 2 3 904 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 905 +---------------+---------------+---------------+---------------+ 906 | TCPOpt kind | TCPOpt Length | Value (opt) | .... | 907 +---------------+---------------+---------------+---------------+ 908 | .... | 909 +---------------------------------------------------------------+ 910 | ... | 911 +---------------------------------------------------------------+ 913 Figure 16: The TCP Options Field 915 Upon reception of a Connect TLV, and absent any policy (e.g., rate- 916 limit) or resource exhaustion conditions, a Transport Converter 917 attempts to establish a connection to the address and port that it 918 contains. The Transport Converter MUST use by default the TCP 919 options that correspond to its local policy to establish this 920 connection. These are the options that it advertises in the 921 Supported TCP Extensions TLV. 923 Upon reception of an extended Connect TLV, and absent any rate limit 924 policy or resource exhaustion conditions, a Transport Converter MUST 925 attempt to establish a connection to the address and port that it 926 contains. It MUST include the options of the 'TCP Options' subfield 927 in the SYN sent to the Server in addition to the TCP options that it 928 would have used according to its local policies. For the TCP options 929 that are listed without an optional value, the Transport Converter 930 MUST generate its own value. For the TCP options that are included 931 in the 'TCP Options' field with an optional value, it MUST copy the 932 entire option for use in the connection with the destination peer. 933 This feature is required to support TCP Fast Open. 935 The Transport Converter may discard a Connect TLV request for various 936 reasons (e.g., authorization failed, out of resources, invalid 937 address type). An error message indicating the encountered error is 938 returned to the requesting Client (Section 4.2.8). In order to 939 prevent denial-of-service attacks, error messages sent to a Client 940 SHOULD be rate-limited. 942 4.2.6. Extended TCP Header TLV 944 The Extended TCP Header TLV (Figure 17) is used by the Transport 945 Converter to send to the Client the extended TCP header that was 946 returned by the Server in the SYN+ACK packet. This TLV is only sent 947 if the Client sent a Connect TLV to request the establishment of a 948 connection. 950 1 2 3 951 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 952 +---------------+---------------+-------------------------------+ 953 | Type=0x14 | Length | Unassigned | 954 +---------------+---------------+-------------------------------+ 955 / Returned Extended TCP header / 956 / ... / 957 +---------------------------------------------------------------+ 959 Figure 17: The Extended TCP Header TLV 961 The Returned Extended TCP header field is a copy of the extended 962 header that was received in the SYN+ACK by the Transport Converter. 964 The Unassigned field MUST be set to zero by the sender and ignored by 965 the receiver. These bits are available for future use [RFC8126]. 967 4.2.7. The Cookie TLV 969 The Cookie TLV (Figure 18 is an optional TLV which use is similar to 970 the TCP Fast Open Cookie [RFC7413]. A Transport Converter may want 971 to verify that a Client can receive the packets that it sends to 972 prevent attacks from spoofed addresses. This verification can be 973 done by using a Cookie that is bound to, for example, the IP 974 address(es) of the Client. This Cookie can be configured on the 975 Client by means that are outside of this document or provided by the 976 Transport Converter as follows. 978 A Transport Converter that has been configured to use the optional 979 Cookie TLV MUST verify the presence of this TLV in the payload of the 980 received SYN. If this TLV is present, the Transport Converter MUST 981 validate the Cookie by means similar to those in Section 4.1.2 of 982 [RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the 983 connection establishment procedure can continue. Otherwise, the 984 Transport Converter MUST return an Error TLV set to "Not Authorized" 985 and close the connection. 987 If the received SYN did not contain a Cookie TLV, and cookie 988 validation is required, the Transport Converter should compute a 989 Cookie bound to this Client address and return a Convert message 990 containing the fixed header, an Error TLV set to "Missing Cookie" and 991 the computed Cookie and close the connection. The Client will react 992 to this error by storing the received Cookie in its cache and attempt 993 to reestablish a new connection to the Transport Converter that 994 includes the Cookie TLV. 996 The format of the Cookie TLV is shown in Figure 18. 998 1 2 3 999 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1000 +---------------+---------------+-------------------------------+ 1001 | Type=0x16 | Length | Zero | 1002 +---------------+---------------+-------------------------------+ 1003 / Opaque Cookie / 1004 / ... / 1005 +---------------------------------------------------------------+ 1007 Figure 18: The Cookie TLV 1009 4.2.8. Error TLV 1011 The Error TLV (Figure 19) is meant to provide information about some 1012 errors that occurred during the processing of a Convert message. 1013 This TLV has a variable length. Upon reception of an Error TLV, a 1014 Client MUST close the associated connection. 1016 1 2 3 1017 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1018 +---------------+---------------+----------------+--------------+ 1019 | Type=0x1E | Length | Error Code | Value | 1020 +---------------+---------------+----------------+--------------+ 1021 // ... (optional) Value // 1022 +---------------------------------------------------------------+ 1024 Figure 19: The Error TLV 1026 Different types of errors can occur while processing Convert 1027 messages. Each error is identified by an Error Code represented as 1028 an unsigned integer. Four classes of error codes are defined: 1030 o Message validation and processing errors (0-31 range): returned 1031 upon reception of an invalid message (including valid messages but 1032 with invalid or unknown TLVs). 1034 o Client-side errors (32-63 range): the Client sent a request that 1035 could not be accepted by the Transport Converter (e.g., 1036 unsupported operation). 1038 o Converter-side errors (64-95 range): problems encountered on the 1039 Transport Converter (e.g., lack of resources) which prevent it 1040 from fulfilling the Client's request. 1042 o Errors caused by the destination server (96-127 range): the final 1043 destination could not be reached or it replied with a reset. 1045 The following error codes are defined in this document: 1047 o Unsupported Version (0): The version number indicated in the fixed 1048 header of a message received from a peer is not supported. 1050 This error code MUST be generated by a Transport Converter (or 1051 Client) when it receives a request having a version number that it 1052 does not support. 1054 The value field MUST be set to the version supported by the 1055 Transport Converter (or Client). When multiple versions are 1056 supported by the Transport Converter (or Client), it includes the 1057 list of supported version in the value field; each version is 1058 encoded in 8 bits. The list of supported versions should be 1059 padded with zeros to end on a 32 bits boundary. 1061 Upon receipt of this error code, the Client (or Transport 1062 Converter) checks whether it supports one of the versions returned 1063 by the Transport Converter (or Client). The highest common 1064 supported version MUST be used by the Client (or Transport 1065 Converter) in subsequent exchanges with the Transport Converter 1066 (or Client). 1068 o Malformed Message (1): This error code is sent to indicate that a 1069 message received from a peer is can not be successfully parsed and 1070 validated. 1072 Typically, this error code is sent by the Transport Converter if 1073 it receives a Connect TLV enclosing a multicast, broadcast, or 1074 loopback IP address. 1076 To ease troubleshooting, the value field MUST echo the received 1077 message shifted by one byte to keep to original alignment of the 1078 message. 1080 o Unsupported Message (2): This error code is sent to indicate that 1081 a message type received from a peer is not supported. 1083 To ease troubleshooting, the value field MUST echo the received 1084 message shifted by one byte to keep to original alignment of the 1085 message. 1087 o Missing Cookie (3): If a Transport Converter requires the 1088 utilization of Cookies to prevent spoofing attacks and a Cookie 1089 TLV was not included in the Convert message, the Transport 1090 Converter MUST return this error to the requesting client. The 1091 first byte of the value field MUST be set to zero and the 1092 remaining bytes of the Error TLV contain the Cookie computed by 1093 the Transport Converter for this Client. 1095 A Client which receives this error code MUST cache the received 1096 Cookie and include it in subsequent Convert messages sent to that 1097 Transport Converter. 1099 o Not Authorized (32): This error code indicates that the Transport 1100 Converter refused to create a connection because of a lack of 1101 authorization (e.g., administratively prohibited, authorization 1102 failure, invalid Cookie TLV, etc.). The Value field MUST be set 1103 to zero. 1105 This error code MUST be sent by the Transport Converter when a 1106 request cannot be successfully processed because the authorization 1107 failed. 1109 o Unsupported TCP Option (33): A TCP option that the Client 1110 requested to advertise to the final Server cannot be safely used. 1112 The Value field is set to the type of the unsupported TCP option. 1113 If several unsupported TCP options were specified in the Connect 1114 TLV, then the list of unsupported TCP options is returned. The 1115 list of unsupported TCP options MUST be padded with zeros to end 1116 on a 32 bits boundary. 1118 o Resource Exceeded (64): This error indicates that the Transport 1119 Converter does not have enough resources to perform the request. 1121 This error MUST be sent by the Transport Converter when it does 1122 not have sufficient resources to handle a new connection. The 1123 Transport Converter may indicate in the Value field the suggested 1124 delay (in seconds) that the Client SHOULD wait before soliciting 1125 the Transport Converter for a new proxied connection. A Value of 1126 zero corresponds to a default delay of at least 30 seconds. 1128 o Network Failure (65): This error indicates that the Transport 1129 Converter is experiencing a network failure to relay the request. 1131 The Transport Converter MUST send this error code when it 1132 experiences forwarding issues to relay a connection. The 1133 Transport Converter may indicate in the Value field the suggested 1134 delay (in seconds) that the Client SHOULD wait before soliciting 1135 the Transport Converter for a new proxied connection. A Value of 1136 zero corresponds to a default delay of at least 30 seconds. 1138 o Connection Reset (96): This error indicates that the final 1139 destination responded with an RST packet. The Value field MUST be 1140 set to zero. 1142 o Destination Unreachable (97): This error indicates that an ICMP 1143 destination unreachable, port unreachable, or network unreachable 1144 was received by the Transport Converter. The Value field MUST 1145 echo the Code field of the received ICMP message. 1147 Figure 20 summarizes the different error codes. 1149 +-------+------+-----------------------------------------------+ 1150 | Error | Hex | Description | 1151 +-------+------+-----------------------------------------------+ 1152 | 0 | 0x00 | Unsupported Version | 1153 | 1 | 0x01 | Malformed Message | 1154 | 2 | 0x02 | Unsupported Message | 1155 | 3 | 0x03 | Missing Cookie | 1156 | 32 | 0x20 | Not Authorized | 1157 | 33 | 0x21 | Unsupported TCP Option | 1158 | 64 | 0x40 | Resource Exceeded | 1159 | 65 | 0x41 | Network Failure | 1160 | 96 | 0x60 | Connection Reset | 1161 | 97 | 0x61 | Destination Unreachable | 1162 +-------+------+-----------------------------------------------+ 1164 Figure 20: Convert Error Values 1166 5. Compatibility of Specific TCP Options with the Conversion Service 1168 In this section, we discuss how several standard track TCP options 1169 can be supported through the Convert protocol. The non-standard 1170 track options and the experimental options will be discussed in other 1171 documents. 1173 5.1. Base TCP Options 1175 Three TCP options were initially defined in [RFC0793]: End-of-Option 1176 List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size 1177 (Kind=2). The first two options are mainly used to pad the TCP 1178 header. There is no reason for a client to request a Transport 1179 Converter to specifically send these options towards the final 1180 destination. 1182 The Maximum Segment Size option (Kind=2) is used by a host to 1183 indicate the largest segment that it can receive over each 1184 connection. This value is function of the stack that terminates the 1185 TCP connection. There is no reason for a Client to request a 1186 Transport Converter to advertise a specific MSS value to a remote 1187 server. 1189 A Transport Converter MUST ignore options with Kind=0, 1 or 2 if they 1190 appear in a Connect TLV. It MUST NOT announce them in a Supported 1191 TCP Extensions TLV. 1193 5.2. Window Scale (WS) 1195 The Window Scale (WS) option (Kind=3) is defined in [RFC7323]. As 1196 for the MSS option, the window scale factor that is used for a 1197 connection strongly depends on the TCP stack that handles the 1198 connection. When a Transport Converter opens a TCP connection 1199 towards a remote server on behalf of a Client, it SHOULD use a WS 1200 option with a scaling factor that corresponds to the configuration of 1201 its stack. A local configuration MAY allow for WS option in the 1202 proxied message to be function of the scaling factor of the incoming 1203 connection. 1205 There is no benefit from a deployment viewpoint in enabling a Client 1206 of a Transport Converter to specifically request the utilization of 1207 the WS option (Kind=3) with a specific scaling factor towards a 1208 remote Server. For this reason, a Transport Converter MUST ignore 1209 option Kind=3 if it appears in a Connect TLV. It MUST NOT announce 1210 it in a Supported TCP Extensions TLV. 1212 5.3. Selective Acknowledgements 1214 Two distinct TCP options were defined to support selective 1215 acknowledgements in [RFC2018]. This first one, SACK Permitted 1216 (Kind=4), is used to negotiate the utilization of selective 1217 acknowledgements during the three-way handshake. The second one, 1218 SACK (Kind=5), carries the selective acknowledgements inside regular 1219 segments. 1221 The SACK Permitted option (Kind=4) MAY be advertised by a Transport 1222 Converter in the Supported TCP Extensions TLV. Clients connected to 1223 this Transport Converter MAY include the SACK Permitted option in the 1224 Connect TLV. 1226 The SACK option (Kind=5) cannot be used during the three-way 1227 handshake. For this reason, a Transport Converter MUST ignore option 1228 Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a 1229 TCP Supported Extensions TLV. 1231 5.4. Timestamp 1233 The Timestamp option was initially defined in [RFC1323] and later 1234 refined in [RFC7323]. It can be used during the three-way handshake 1235 to negotiate the utilization of timestamps during the TCP connection. 1236 It is notably used to improve round-trip-time estimations and to 1237 provide protection against wrapped sequence numbers (PAWS). As for 1238 the WS option, the timestamps are a property of a connection and 1239 there is limited benefit in enabling a client to request a Transport 1240 Converter to use the timestamp option when establishing a connection 1241 to a remote server. Furthermore, the timestamps that are used by TCP 1242 stacks are specific to each stack and there is no benefit in enabling 1243 a client to specify the timestamp value that a Transport Converter 1244 could use to establish a connection to a remote server. 1246 A Transport Converter MAY advertise the Timestamp option (Kind=8) in 1247 the TCP Supported Extensions TLV. The clients connected to this 1248 Transport Converter MAY include the Timestamp option in the Connect 1249 TLV but without any timestamp. 1251 5.5. Multipath TCP 1253 The Multipath TCP options are defined in [RFC6824]. [RFC6824] 1254 defines one variable length TCP option (Kind=30) that includes a 1255 subtype field to support several Multipath TCP options. There are 1256 several operational use cases where clients would like to use 1257 Multipath TCP through a Transport Converter [IETFJ16]. However, none 1258 of these use cases require the Client to specify the content of the 1259 Multipath TCP option that the Transport Converter should send to a 1260 remote server. 1262 A Transport Converter which supports Multipath TCP conversion service 1263 MUST advertise the Multipath TCP option (Kind=30) in the Supported 1264 TCP Extensions TLV. Clients serviced by this Transport Converter may 1265 include the Multipath TCP option in the Connect TLV but without any 1266 content. 1268 5.6. TCP Fast Open 1270 The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413]. 1271 There are two different usages of this option that need to be 1272 supported by Transport Converters. The first utilization of the TCP 1273 Fast Open cookie option is to request a cookie from the server. In 1274 this case, the option is sent with an empty cookie by the client and 1275 the server returns the cookie. The second utilization of the TCP 1276 Fast Open cookie option is to send a cookie to the server. In this 1277 case, the option contains a cookie. 1279 A Transport Converter MAY advertise the TCP Fast Open cookie option 1280 (Kind=34) in the Supported TCP Extensions TLV. If a Transport 1281 Converter has advertised the support for TCP Fast Open in its 1282 Supported TCP Extensions TLV, it needs to be able to process two 1283 types of Connect TLV. If such a Transport Converter receives a 1284 Connect TLV with the TCP Fast Open cookie option that does not 1285 contain a cookie, it MUST add an empty TCP Fast Open cookie option in 1286 the SYN sent to the remote server. If such a Transport Converter 1287 receives a Connect TLV with the TCP Fast Open cookie option that 1288 contains a cookie, it MUST copy the TCP Fast Open cookie option in 1289 the SYN sent to the remote server. 1291 5.7. TCP User Timeout 1293 The TCP User Timeout option is defined in [RFC5482]. The associated 1294 TCP option (Kind=28) does not appear to be widely deployed. 1296 5.8. TCP-AO 1298 TCP-AO [RFC5925] provides a technique to authenticate all the packets 1299 exchanged over a TCP connection. Given the nature of this extension, 1300 it is unlikely that the applications that require their packets to be 1301 authenticated end-to-end would want their connections to pass through 1302 a converter. For this reason, we do not recommend the support of the 1303 TCP-AO option by Transport Converters. The only use cases where it 1304 could make sense to combine TCP-AO and the solution in this document 1305 are those where the TCP-AO-NAT extension [RFC6978] is in use. 1307 A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29) 1308 in the Supported TCP Extensions TLV. If a Transport Converter 1309 receives a Connect TLV that contains the TCP-AO option, it MUST 1310 reject the establishment of the connection with error code set to 1311 "Unsupported TCP Option", except if the TCP-AO-NAT option is used. 1313 5.9. TCP Experimental Options 1315 The TCP Experimental options are defined in [RFC4727]. Given the 1316 variety of semantics for these options and their experimental nature, 1317 it is impossible to discuss them in details in this document. 1319 6. Interactions with Middleboxes 1321 The Convert Protocol is designed to be used in networks that do not 1322 contain middleboxes that interfere with TCP. Under such conditions, 1323 it is assumed that the network provider ensures that all involved on- 1324 path nodes are not breaking TCP signals (e.g., strip TCP options, 1325 discard some SYNs, etc.). 1327 Nevertheless, and in order to allow for a robust service, this 1328 section describes how a Client can detect middlebox interference and 1329 stop using the Transport Converter affected by this interference. 1331 Internet measurements [IMC11] have shown that middleboxes can affect 1332 the deployment of TCP extensions. In this section, we only discuss 1333 the middleboxes that modify SYN and SYN+ACK packets since the Convert 1334 Protocol places its messages in such packets. 1336 Consider a middlebox that removes the SYN payload. The Client can 1337 detect this problem by looking at the acknowledgement number field of 1338 the SYN+ACK returned by the Transport Converter. The Client MUST 1339 stop to use this Transport Converter given the middlebox 1340 interference. 1342 Consider now a middlebox that drops SYN/ACKs with a payload. The 1343 Client won't be able to establish a connection via the Transport 1344 Converter. 1346 The case of a middlebox that removes the payload of SYN+ACKs (but not 1347 the payload of SYN) can be detected by a Client. This is hinted by 1348 the absence of an Error or Extended TCP Header TLV in a response. If 1349 an Error was returned by the Transport Converter, a message to close 1350 the connection would normally follow from the Converter. If no such 1351 message is received, the Client may continue to use this Converter. 1353 As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect 1354 the operation of TFO if they assign different IP addresses to the 1355 same end host. Such CGNs could affect the operation of the cookie 1356 validation used by the Convert Protocol. As a reminder CGNs, enabled 1357 on the path between a Client and a Transport Converter, must adhere 1358 to the address preservation defined in [RFC6888]. See also the 1359 discussion in Section 7.1 of [RFC7413]. 1361 7. Security Considerations 1363 7.1. Privacy & Ingress Filtering 1365 The Transport Converter may have access to privacy-related 1366 information (e.g., subscriber credentials). The Transport Converter 1367 is designed to not leak such sensitive information outside a local 1368 domain. 1370 Given its function and its location in the network, a Transport 1371 Converter has access to the payload of all the packets that it 1372 processes. As such, it MUST be protected as a core IP router (e.g., 1373 [RFC1812]). 1375 Furthermore, ingress filtering policies MUST be enforced at the 1376 network boundaries [RFC2827]. 1378 This document assumes that all network attachments are managed by the 1379 same administrative entity. Therefore, enforcing anti-spoofing 1380 filters at these network ensures that hosts are not sending traffic 1381 with spoofed source IP addresses. 1383 7.2. Authorization 1385 The Convert Protocol is intended to be used in managed networks where 1386 end hosts can be identified by their IP address. 1388 Stronger mutual authentication schemes MUST be defined to use the 1389 Convert Protocol in more open network environments. One possibility 1390 is to use TLS to perform mutual authentication between the client and 1391 the Converter. That is, use TLS when a Client retrieves a Cookie 1392 from the Converter and rely on certificate-based client 1393 authentication, pre-shared key based [RFC4279] or raw public key 1394 based client authentication [RFC7250] to secure this connection. 1396 If the authentication succeeds, the Converter returns a cookie to the 1397 Client. Subsequent Connect messages will be authorized as a function 1398 of the content of the Cookie TLV. 1400 In deployments where network-assisted connections are not allowed 1401 between hosts of a domain (i.e., hairpinning), the Converter may be 1402 instructed to discard such connections. Hairpinned connections are 1403 thus rejected by the Transport Converter by returning an Error TLV 1404 set to "Not Authorized". Absent explicit configuration otherwise, 1405 hairpinning is enabled by the Converter (see Figure 21. 1407 <===Network Provider===> 1409 +----+ from X1:x1 to X2':x2' +-----+ X1':x1' 1410 | C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+--- 1411 +----+ | v | 1412 | v | 1413 | v | 1414 | v | 1415 +----+ from X1':x1' to X2:x2 | v | X2':x2' 1416 | C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+--- 1417 +----+ +-----+ 1418 Converter 1420 Note: X2':x2' may be equal to 1421 X2:x2 1423 Figure 21: Hairpinning Example 1425 See below for authorization considerations that are specific for 1426 Multipath TCP. 1428 7.3. Denial of Service 1430 Another possible risk is the amplification attacks since a Transport 1431 Converter sends a SYN towards a remote Server upon reception of a SYN 1432 from a Client. This could lead to amplification attacks if the SYN 1433 sent by the Transport Converter were larger than the SYN received 1434 from the Client or if the Transport Converter retransmits the SYN. 1435 To mitigate such attacks, the Transport Converter SHOULD rate limit 1436 the number of pending requests for a given Client. It SHOULD also 1437 avoid sending to remote Servers SYNs that are significantly longer 1438 than the SYN received from the Client. Finally, the Transport 1439 Converter SHOULD only retransmit a SYN to a Server after having 1440 received a retransmitted SYN from the corresponding Client. Means to 1441 protect against SYN flooding attacks MUST also be enabled [RFC4987]. 1443 7.4. Traffic Theft 1445 Traffic theft is a risk if an illegitimate Converter is inserted in 1446 the path. Indeed, inserting an illegitimate Converter in the 1447 forwarding path allows traffic interception and can therefore provide 1448 access to sensitive data issued by or destined to a host. Converter 1449 discovery and configuration are out of scope of this document. 1451 7.5. Multipath TCP-specific Considerations 1453 Multipath TCP-related security threats are discussed in [RFC6181] and 1454 [RFC6824]. 1456 The operator that manages the various network attachments (including 1457 the Transport Converters) can enforce authentication and 1458 authorization policies using appropriate mechanisms. For example, a 1459 non-exhaustive list of methods to achieve authorization is provided 1460 hereafter: 1462 o The network provider may enforce a policy based on the 1463 International Mobile Subscriber Identity (IMSI) to verify that a 1464 user is allowed to benefit from the Multipath TCP converter 1465 service. If that authorization fails, the Packet Data Protocol 1466 (PDP) context/bearer will not be mounted. This method does not 1467 require any interaction with the Transport Converter for 1468 authorization matters. 1470 o The network provider may enforce a policy based upon Access 1471 Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG) 1472 to control the hosts that are authorized to communicate with a 1473 Transport Converter. These ACLs may be installed as a result of 1474 RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter]. 1475 This method does not require any interaction with the Transport 1476 Converter for authorization matters. 1478 o A device that embeds a Transport Converter may also host a RADIUS 1479 client that will solicit an AAA server to check whether 1480 connections received from a given source IP address are authorized 1481 or not [I-D.boucadair-radext-tcpm-converter]. 1483 A first safeguard against the misuse of Transport Converter resources 1484 by illegitimate users (e.g., users with access networks that are not 1485 managed by the same provider that operates the Transport Converter) 1486 is the Transport Converter to reject Multipath TCP connections 1487 received on its Internet-facing interfaces. Only Multipath TCP 1488 connections received on the customer-facing interfaces of a Transport 1489 Converter will be accepted. 1491 8. IANA Considerations 1493 8.1. Convert Service Port Number 1495 IANA is requested to assign a TCP port number (TBA) for the Convert 1496 Protocol from the "Service Name and Transport Protocol Port Number 1497 Registry" available at https://www.iana.org/assignments/service- 1498 names-port-numbers/service-names-port-numbers.xhtml. 1500 Service Name: convert 1501 Port Number: TBD 1502 Transport Protocol(s): TCP 1503 Description: 0-RTT TCP Convert Protocol 1504 Assignee: IESG 1505 Contact: IETF Chair 1506 Reference: RFC XXXX 1508 8.2. The Convert Protocol (Convert) Parameters 1510 IANA is requested to create a new "The Convert Protocol (Convert) 1511 Parameters" registry. 1513 The following subsections detail new registries within "The Convert 1514 Protocol (Convert) Parameters" registry. 1516 8.2.1. Convert Versions 1518 IANA is requested to create the "Convert versions" sub-registry. New 1519 values are assigned via IETF Review (Section 4.8 of [RFC8126]). 1521 The initial values to be assigned at the creation of the registry are 1522 as follows: 1524 +---------+--------------------------------------+-------------+ 1525 | Version | Description | Reference | 1526 +---------+--------------------------------------+-------------+ 1527 | 0 | Reserved by this document | [This-RFC] | 1528 | 1 | Assigned by this document | [This-RFC] | 1529 +---------+--------------------------------------+-------------+ 1531 8.2.2. Convert TLVs 1533 IANA is requested to create the "Convert TLVs" sub-registry. The 1534 procedure for assigning values from this registry is as follows: 1536 o The values in the range 1-127 can be assigned via IETF Review. 1538 o The values in the range 128-191 can be assigned via Specification 1539 Required. 1541 o The values in the range 192-255 can be assigned for Private Use. 1543 The initial values to be assigned at the creation of the registry are 1544 as follows: 1546 +---------+--------------------------------------+-------------+ 1547 | Code | Name | Reference | 1548 +---------+--------------------------------------+-------------+ 1549 | 0 | Reserved | [This-RFC] | 1550 | 1 | Info TLV | [This-RFC] | 1551 | 10 | Connect TLV | [This-RFC] | 1552 | 20 | Extended TCP Header TLV | [This-RFC] | 1553 | 21 | Supported TCP Extension TLV | [This-RFC] | 1554 | 22 | Cookie TLV | [This-RFC] | 1555 | 30 | Error TLV | [This-RFC] | 1556 +---------+--------------------------------------+-------------+ 1558 8.2.3. Convert Error Messages 1560 IANA is requested to create the "Convert Errors" sub-registry. Codes 1561 in this registry are assigned as a function of the error type. Four 1562 types are defined; the following ranges are reserved for each of 1563 these types: 1565 o Message validation and processing errors: 0-31 1567 o Client-side errors: 32-63 1569 o Transport Converter-side errors: 64-95 1571 o Errors caused by destination server: 96-127 1573 The procedure for assigning values from this sub-registry is as 1574 follows: 1576 o 0-127: Values in this range are assigned via IETF Review. 1578 o 128-191: Values in this range are assigned via Specification 1579 Required. 1581 o 192-255: Values in this range are assigned for Private Use. 1583 The initial values to be assigned at the creation of the registry are 1584 as follows: 1586 +-------+------+-----------------------------------+-----------+ 1587 | Error | Hex | Description | Reference | 1588 +-------+------+-----------------------------------+-----------+ 1589 | 0 | 0x00 | Unsupported Version | [This-RFC]| 1590 | 1 | 0x01 | Malformed Message | [This-RFC]| 1591 | 2 | 0x02 | Unsupported Message | [This-RFC]| 1592 | 3 | 0x03 | Missing Cookie | [This-RFC]| 1593 | 32 | 0x20 | Not Authorized | [This-RFC]| 1594 | 33 | 0x21 | Unsupported TCP Option | [This-RFC]| 1595 | 64 | 0x40 | Resource Exceeded | [This-RFC]| 1596 | 65 | 0x41 | Network Failure | [This-RFC]| 1597 | 96 | 0x60 | Connection Reset | [This-RFC]| 1598 | 97 | 0x61 | Destination Unreachable | [This-RFC]| 1599 +-------+------+-----------------------------------+-----------+ 1601 Figure 22: The Convert Error Codes 1603 9. References 1605 9.1. Normative References 1607 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1608 RFC 793, DOI 10.17487/RFC0793, September 1981, 1609 . 1611 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1612 Requirement Levels", BCP 14, RFC 2119, 1613 DOI 10.17487/RFC2119, March 1997, 1614 . 1616 [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key 1617 Ciphersuites for Transport Layer Security (TLS)", 1618 RFC 4279, DOI 10.17487/RFC4279, December 2005, 1619 . 1621 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 1622 Architecture", RFC 4291, DOI 10.17487/RFC4291, February 1623 2006, . 1625 [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, 1626 ICMPv6, UDP, and TCP Headers", RFC 4727, 1627 DOI 10.17487/RFC4727, November 2006, 1628 . 1630 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 1631 Translation (NAT) Behavioral Requirements for Unicast 1632 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 1633 2007, . 1635 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 1636 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 1637 . 1639 [RFC5482] Eggert, L. and F. Gont, "TCP User Timeout Option", 1640 RFC 5482, DOI 10.17487/RFC5482, March 2009, 1641 . 1643 [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP 1644 Authentication Option", RFC 5925, DOI 10.17487/RFC5925, 1645 June 2010, . 1647 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 1648 "TCP Extensions for Multipath Operation with Multiple 1649 Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013, 1650 . 1652 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1653 A., and H. Ashida, "Common Requirements for Carrier-Grade 1654 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1655 April 2013, . 1657 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 1658 "Special-Purpose IP Address Registries", BCP 153, 1659 RFC 6890, DOI 10.17487/RFC6890, April 2013, 1660 . 1662 [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., 1663 Weiler, S., and T. Kivinen, "Using Raw Public Keys in 1664 Transport Layer Security (TLS) and Datagram Transport 1665 Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, 1666 June 2014, . 1668 [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP 1669 Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, 1670 . 1672 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1673 Writing an IANA Considerations Section in RFCs", BCP 26, 1674 RFC 8126, DOI 10.17487/RFC8126, June 2017, 1675 . 1677 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1678 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1679 May 2017, . 1681 9.2. Informative References 1683 [ANRW17] Trammell, B., Kuhlewind, M., De Vaere, P., Learmonth, I., 1684 and G. Fairhurst, "Tracking transport-layer evolution with 1685 PATHspider", Applied Networking Research Workshop 2017 1686 (ANRW17) , July 2017. 1688 [Fukuda2011] 1689 Fukuda, K., "An Analysis of Longitudinal TCP Passive 1690 Measurements (Short Paper)", Traffic Monitoring and 1691 Analysis. TMA 2011. Lecture Notes in Computer Science, vol 1692 6613. , 2011. 1694 [HotMiddlebox13b] 1695 Detal, G., Paasch, C., and O. Bonaventure, "Multipath in 1696 the Middle(Box)", HotMiddlebox'13 , December 2013, 1697 . 1700 [I-D.arkko-arch-low-latency] 1701 Arkko, J. and J. Tantsura, "Low Latency Applications and 1702 the Internet Architecture", draft-arkko-arch-low- 1703 latency-02 (work in progress), October 2017. 1705 [I-D.boucadair-mptcp-plain-mode] 1706 Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel, 1707 D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R., 1708 Vinapamula, S., Seo, S., Cloetens, W., Meyer, U., 1709 Contreras, L., and B. Peirens, "Extensions for Network- 1710 Assisted MPTCP Deployment Models", draft-boucadair-mptcp- 1711 plain-mode-10 (work in progress), March 2017. 1713 [I-D.boucadair-radext-tcpm-converter] 1714 Boucadair, M. and C. Jacquenet, "RADIUS Extensions for 1715 0-RTT TCP Converters", draft-boucadair-radext-tcpm- 1716 converter-02 (work in progress), April 2019. 1718 [I-D.boucadair-tcpm-dhc-converter] 1719 Boucadair, M., Jacquenet, C., and R. K, "DHCP Options for 1720 0-RTT TCP Converters", draft-boucadair-tcpm-dhc- 1721 converter-02 (work in progress), April 2019. 1723 [I-D.nam-mptcp-deployment-considerations] 1724 Boucadair, M., Jacquenet, C., Bonaventure, O., Henderickx, 1725 W., and R. Skog, "Network-Assisted MPTCP: Use Cases, 1726 Deployment Scenarios and Operational Considerations", 1727 draft-nam-mptcp-deployment-considerations-01 (work in 1728 progress), December 2016. 1730 [I-D.olteanu-intarea-socks-6] 1731 Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6", 1732 draft-olteanu-intarea-socks-6-07 (work in progress), July 1733 2019. 1735 [I-D.peirens-mptcp-transparent] 1736 Peirens, B., Detal, G., Barre, S., and O. Bonaventure, 1737 "Link bonding with transparent Multipath TCP", draft- 1738 peirens-mptcp-transparent-00 (work in progress), July 1739 2016. 1741 [IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment", 1742 IETF Journal, Fall 2016 , n.d.. 1744 [IMC11] Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A., 1745 Handley, M., and T. Hideyuki, "Is it still possible to 1746 extend TCP?", Proceedings of the 2011 ACM SIGCOMM 1747 conference on Internet measurement conference , 2011. 1749 [RFC1323] Jacobson, V., Braden, R., and D. Borman, "TCP Extensions 1750 for High Performance", RFC 1323, DOI 10.17487/RFC1323, May 1751 1992, . 1753 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1754 RFC 1812, DOI 10.17487/RFC1812, June 1995, 1755 . 1757 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 1758 RFC 1919, DOI 10.17487/RFC1919, March 1996, 1759 . 1761 [RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and 1762 L. Jones, "SOCKS Protocol Version 5", RFC 1928, 1763 DOI 10.17487/RFC1928, March 1996, 1764 . 1766 [RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP 1767 Selective Acknowledgment Options", RFC 2018, 1768 DOI 10.17487/RFC2018, October 1996, 1769 . 1771 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 1772 Defeating Denial of Service Attacks which employ IP Source 1773 Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, 1774 May 2000, . 1776 [RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z. 1777 Shelby, "Performance Enhancing Proxies Intended to 1778 Mitigate Link-Related Degradations", RFC 3135, 1779 DOI 10.17487/RFC3135, June 2001, 1780 . 1782 [RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for 1783 Multipath Operation with Multiple Addresses", RFC 6181, 1784 DOI 10.17487/RFC6181, March 2011, 1785 . 1787 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 1788 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 1789 DOI 10.17487/RFC6887, April 2013, 1790 . 1792 [RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis, 1793 "Increasing TCP's Initial Window", RFC 6928, 1794 DOI 10.17487/RFC6928, April 2013, 1795 . 1797 [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT 1798 Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013, 1799 . 1801 [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. 1802 Scheffenegger, Ed., "TCP Extensions for High Performance", 1803 RFC 7323, DOI 10.17487/RFC7323, September 2014, 1804 . 1806 [RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A. 1807 Zimmermann, "A Roadmap for Transmission Control Protocol 1808 (TCP) Specification Documents", RFC 7414, 1809 DOI 10.17487/RFC7414, February 2015, 1810 . 1812 [RFC8041] Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and 1813 Operational Experience with Multipath TCP", RFC 8041, 1814 DOI 10.17487/RFC8041, January 2017, 1815 . 1817 [RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2: 1818 Better Connectivity Using Concurrency", RFC 8305, 1819 DOI 10.17487/RFC8305, December 2017, 1820 . 1822 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1823 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1824 . 1826 [RFC8548] Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack, 1827 Q., and E. Smith, "Cryptographic Protection of TCP Streams 1828 (tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019, 1829 . 1831 [TS23501] 3GPP (3rd Generation Partnership Project), ., "Technical 1832 Specification Group Services and System Aspects; System 1833 Architecture for the 5G System; Stage 2 (Release 16)", 1834 2019, . 1837 Appendix A. Change Log 1839 This section to be removed before publication. 1841 o 00 : initial version, designed to support Multipath TCP and TFO 1842 only 1844 o 00 to -01 : added section Section 5 describing the support of 1845 different standard tracks TCP options by Transport Converters, 1846 clarification of the IANA section, moved the SOCKS comparison to 1847 the appendix and various minor modifications 1849 o 01 to -02: Minor modifications 1851 o 02 to -03: Minor modifications 1853 o 03 to -04: Minor modifications 1855 o 04 to -05: Integrate a lot of feedback from implementors who have 1856 worked on client and server side implementations. The main 1857 modifications are the following : 1859 * TCP Fast Open is not strictly required anymore. Several 1860 implementors expressed concerns about this requirement. The 1861 TFO Cookie protects from some attack scenarios that affect open 1862 servers like web servers. The Convert protocol is different 1863 and as discussed in RFC7413, there are different ways to 1864 protect from such attacks. Instead of using a TFO cookie 1865 inside the TCP options, which consumes precious space in the 1866 extended TCP header, this version supports the utilization of a 1867 Cookie that is placed in the SYN payload. This provides the 1868 same level of protection as a TFO Cookie in environments were 1869 such protection is required. 1871 * the Bootstrap procedure has been simplified based on feedback 1872 from implementers 1874 * Error messages are not included in RST segments anymore but 1875 sent in the bytestream. Implementors have indicated that 1876 processing such segments on clients was difficult on some 1877 platforms. This change simplifies client implementations. 1879 * Many minor editorial changes to clarify the text based on 1880 implementors feedback. 1882 o 05 to -06: Many clarifications to integrate the comments from the 1883 chairs in preparation to the WGLC: 1885 * Updated IANA policy to require "IETF Review" instead of 1886 "Standard Action" 1888 * Call out explicitly that data in SYNs are relayed by the 1889 Converter 1891 * Reiterate the scope 1893 * Hairpinning behavior can be disabled (policy-based) 1895 * Fix nits 1897 o 07: 1899 * Update the text about supplying data in SYNs to make it clear 1900 that a constraint defined in RFC793 is relaxed following the 1901 same rationale as in RFC7413. 1903 * Nits 1905 * Added Appendix A on example Socket API changes 1907 o 08: 1909 * Added short discussion on the termination of connections 1911 o 09: 1913 * Various to comments received during last call 1915 Appendix B. Example Socket API Changes to Support the 0-RTT Convert 1916 Protocol 1918 B.1. Active Open (Client Side) 1920 On the client side, the support of the 0-RTT Converter protocol does 1921 not require any other changes than those identified in Appendix A of 1922 [RFC7413]. Those modifications are already supported by multiple TCP 1923 stacks. 1925 As an example, on Linux, a client can send the 0-RTT Convert message 1926 inside a SYN by using sendto with the MSG_FASTOPEN flag as shown in 1927 the example below: 1929 s = socket(AF_INET, SOCK_STREAM, 0); 1931 sendto(s, buffer, buffer_len, MSG_FASTOPEN, 1932 (struct sockaddr *) &server_addr, addr_len); 1934 The client side of the Linux TCP TFO can be used in two different 1935 modes depending on the host configuration (sysctl tcp_fastopen 1936 variable): 1938 o 0x1: (client) enables sending data in the opening SYN on the 1939 client. 1941 o 0x4: (client) send data in the opening SYN regardless of cookie 1942 availability and without a cookie option. 1944 By setting this configuration variable to 0x5, a Linux client using 1945 the above code would send data inside the SYN without using a TFO 1946 option. 1948 B.2. Passive Open (Converter Side) 1950 The Converter needs to enable the reception of data inside the SYN 1951 independently of the utilization of the TFO option. This implies 1952 that the Transport Converter application cannot rely on the TFO 1953 cookies to validate the reachability of the IP address that sent the 1954 SYN. It must rely on other techniques, such as the Cookie TLV 1955 described in this document, to verify this reachability. 1957 [RFC7413] suggested the utilization of a TCP_FASTOPEN socket option 1958 the enable the reception of SYNs containing data. Later, Appendix A 1959 of [RFC7413], mentioned: 1961 Traditionally, accept() returns only after a socket is connected. 1962 But, for a Fast Open connection, accept() returns upon receiving 1963 SYN with a valid Fast Open cookie and data, and the data is available 1964 to be read through, e.g., recvmsg(), read(). 1966 To support the 0-RTT Convert protocol, this behavior should be 1967 modified as follows: 1969 Traditionally, accept() returns only after a socket is connected. 1970 But, for a Fast Open connection, accept() returns upon receiving a 1971 SYN with data, and the data is available to be read through, e.g., 1972 recvmsg(), read(). The application that receives such SYNs with data 1973 must be able to validate the reachability of the source of the SYN 1974 and also deal with replayed SYNs. 1976 The Linux server side can be configured with the following sysctls: 1978 o 0x2: (server) enables the server support, i.e., allowing data in a 1979 SYN packet to be accepted and passed to the application before 1980 3-way handshake finishes. 1982 o 0x200: (server) accept data-in-SYN w/o any cookie option present. 1984 However, this configuration is system-wide. This is convenient for 1985 typical Transport Converter deployments where no other applications 1986 relying on TFO are collocated on the same device. 1988 Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to 1989 provide the same behavior on a per socket basis. This enables a 1990 single host to support both servers that require the TFO cookie and 1991 servers that do not use it. 1993 Appendix C. Some Design Considerations 1995 Several implementors expressed concerns about the use of TFO. As a 1996 reminder, the TFO Cookie protects from some attack scenarios that 1997 affect open servers like web servers. The Convert protocol is 1998 different and as discussed in RFC7413, there are different ways to 1999 protect from such attacks. Instead of using a TFO cookie inside the 2000 TCP options, which consumes precious space in the extended TCP 2001 header, the Convert protocol supports the utilization of a Cookie 2002 that is placed in the SYN payload. This provides the same level of 2003 protection as a TFO Cookie in environments were such protection is 2004 required. 2006 Error messages are not included in RST segments but sent in the 2007 bytestream. Implementors have indicated that processing such 2008 segments on clients was difficult on some platforms. This change 2009 simplifies client implementations. 2011 Appendix D. Differences with SOCKSv5 2013 At a first glance, the solution proposed in this document could seem 2014 similar to the SOCKS v5 protocol [RFC1928] which is used to proxy TCP 2015 connections. The Client creates a connection to a SOCKS proxy, 2016 exchanges authentication information and indicates the destination 2017 address and port of the final server. At this point, the SOCKS proxy 2018 creates a connection towards the final server and relays all data 2019 between the two proxied connections. The operation of an 2020 implementation based on SOCKSv5 is illustrated in Figure 23. 2022 Client SOCKS Proxy Server 2023 --------------------> 2024 SYN 2025 <-------------------- 2026 SYN+ACK 2027 --------------------> 2028 ACK 2030 --------------------> 2031 Version=5, Auth Methods 2032 <-------------------- 2033 Method 2034 --------------------> 2035 Auth Request (unless "No auth" method negotiated) 2036 <-------------------- 2037 Auth Response 2038 --------------------> 2039 Connect Server:Port --------------------> 2040 SYN 2042 <-------------------- 2043 SYN+ACK 2044 <-------------------- 2045 Succeeded 2047 --------------------> 2048 Data1 2049 --------------------> 2050 Data1 2052 <-------------------- 2053 Data2 2054 <-------------------- 2055 Data2 2057 Figure 23: Establishment of a TCP connection through a SOCKS proxy 2058 without authentication 2060 The Convert protocol also relays data between an upstream and a 2061 downstream connection, but there are important differences with 2062 SOCKSv5. 2064 A first difference is that the Convert protocol exchanges all control 2065 information during the three-way handshake. This reduces the 2066 connection establishment delay compared to SOCKS that requires two or 2067 more round-trip-times before the establishment of the downstream 2068 connection towards the final destination. In today's Internet, 2069 latency is a important metric and various protocols have been tuned 2070 to reduce their latency [I-D.arkko-arch-low-latency]. A recently 2071 proposed extension to SOCKS leverages the TFO option 2072 [I-D.olteanu-intarea-socks-6]. 2074 A second difference is that the Convert protocol explicitly takes the 2075 TCP extensions into account. By using the Convert protocol, the 2076 Client can learn whether a given TCP extension is supported by the 2077 destination Server. This enables the Client to bypass the Transport 2078 Converter when the destination supports the required TCP extension. 2079 Neither SOCKS v5 [RFC1928] nor the proposed SOCKS v6 2080 [I-D.olteanu-intarea-socks-6] provide such a feature. 2082 A third difference is that a Transport Converter will only accept the 2083 connection initiated by the Client provided that the downstream 2084 connection is accepted by the Server. If the Server refuses the 2085 connection establishment attempt from the Transport Converter, then 2086 the upstream connection from the Client is rejected as well. This 2087 feature is important for applications that check the availability of 2088 a Server or use the time to connect as a hint on the selection of a 2089 Server [RFC8305]. 2091 A fourth difference is that the Convert protocol only allows the 2092 client to specify the address/port of the destination server and not 2093 a DNS name. We evaluated an alternate design for the Connect TLV 2094 that included the DNS name of the remote peer instead of its IP 2095 address as in SOCKS [RFC1928]. However, that design was not adopted 2096 because it induces both an extra load and increased delays on the 2097 Transport Converter to handle and manage DNS resolution requests. 2099 Acknowledgements 2101 Although they could disagree with the contents of the document, we 2102 would like to thank Joe Touch and Juliusz Chroboczek whose comments 2103 on the MPTCP mailing list have forced us to reconsider the design of 2104 the solution several times. 2106 We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha 2107 Nandugudi and Gregory Vander Schueren for their help in preparing 2108 this document. Nandini Ganesh provided valuable feedback about the 2109 handling of TFO and the error codes. Yuchung Cheng and Praveen 2110 Balasubramanian helped to clarify the discussion on supplying data in 2111 SYNs. Phil Eardley and Michael Scharf's helped to clarify different 2112 parts of the text. 2114 This document builds upon earlier documents that proposed various 2115 forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode], 2116 [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b]. 2118 From [I-D.boucadair-mptcp-plain-mode]: 2120 Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi 2121 Nishida, and Christoph Paasch for their valuable comments. 2123 Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and 2124 Sri Gundavelli for the fruitful discussions in IETF#95 (Buenos 2125 Aires). 2127 Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and 2128 Xavier Grall for their inputs. 2130 Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas 2131 Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves 2132 Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun 2133 Srinivasan, and Raghavendra Mallya for the discussion. 2135 Contributors 2137 Bart Peirens contributed to an early version of the document. 2139 As noted above, this document builds on two previous documents. 2141 The authors of [I-D.boucadair-mptcp-plain-mode] were: 2143 o Mohamed Boucadair 2145 o Christian Jacquenet 2147 o Olivier Bonaventure 2149 o Denis Behaghel 2151 o Stefano Secci 2153 o Wim Henderickx 2155 o Robert Skog 2157 o Suresh Vinapamula 2159 o SungHoon Seo 2161 o Wouter Cloetens 2163 o Ullrich Meyer 2165 o Luis M. Contreras 2166 o Bart Peirens 2168 The authors of [I-D.peirens-mptcp-transparent] were: 2170 o Bart Peirens 2172 o Gregory Detal 2174 o Sebastien Barre 2176 o Olivier Bonaventure 2178 Authors' Addresses 2180 Olivier Bonaventure (editor) 2181 Tessares 2183 Email: Olivier.Bonaventure@tessares.net 2185 Mohamed Boucadair (editor) 2186 Orange 2187 Rennes 35000 2188 France 2190 Email: mohamed.boucadair@orange.com 2192 Sri Gundavelli 2193 Cisco 2195 Email: sgundave@cisco.com 2197 SungHoon Seo 2198 Korea Telecom 2200 Email: sh.seo@kt.com 2202 Benjamin Hesmans 2203 Tessares 2205 Email: Benjamin.Hesmans@tessares.net